Because of the statement "of course the blank password fails" I am guessing Cross Reference Blank Passwords is turned on so AR System will look to LDAP and fail. Unless there is an account for Demo with a blank password in LDAP :)
Jason On Wed, Dec 19, 2012 at 4:37 PM, John Sundberg < [email protected]> wrote: > ** > You could also change the password back to blank -- let is succeed for > awhile with the API logs on. > > It might be very obvious what it is once you see what it is trying to > access. > > Like -- possibly an integration to populate CMDB or something like that. > (And then you go AHA -- now I know ….) > > > > -John > > > > > > On Wed, Dec 19, 2012 at 2:37 PM, Mueller, Doug <[email protected]>wrote: > >> Claire, >> >> Turn on API logging for a few minutes and capture some cases where the >> user Demo >> shows up. >> >> The API log will give you the client type of the client. If it is one of >> the >> components of the system from BMC or from some partner or your own >> developers who >> have set the client type, that will tell you what type of thing the >> access is from. >> If it says client-type of 0, that means it is probably a custom written >> API program. >> >> The API log also will give you the IP address of where the call came >> from. Now, >> if you have a complex environment with firewalls that rewrite IP >> addresses, that >> may or may not help, but in many environments, it is the IP address of >> the source >> machine of the API call. That will tell you where to look for your >> caller. If the >> caller is a browser session, the IP address will be of the mid-tier >> rather than the >> actual browser, but if it is the mid-tier, it will tell you it is an >> interactive >> user logging in as Demo -- just not where from. >> >> This is at least a good starting point to work from. >> >> Good luck finding your rogue Demo users.... >> >> Doug Mueller >> >> -----Original Message----- >> From: Action Request System discussion list(ARSList) [mailto: >> [email protected]] On Behalf Of Sanford, Claire >> Sent: Wednesday, December 19, 2012 11:26 AM >> To: [email protected] >> Subject: Remedy ITSM - Demo gone wild! >> >> When our system was installed, Demo had no password since that is the >> default. >> >> I reset the Demo password in the User form. >> >> Demo keeps trying to log into the system and of course the blank password >> fails. Is there anywhere I can look to see where "Demo" has been put as >> the admin user? Something is using Demo and failing. 12176 times in the >> last 20 days. >> >> >> >> ITSM 7.6.04 SP2 >> ARS 7.6.04 SP3 >> Oracle 11.2.0.3.0 - 64bit Production >> Win 2008 Server >> >> Claire Sanford >> Information Systems Division >> Memorial Hermann Healthcare System >> [email protected] >> >> >> _______________________________________________________________________________ >> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >> "Where the Answers Are, and have been for 20 years" >> >> >> _______________________________________________________________________________ >> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >> "Where the Answers Are, and have been for 20 years" >> > > > > -- > > *John Sundberg* > Kinetic Data, Inc. > "Your Business. Your Process." > > *Save The Date! *Second Annual KEG (Kinetic Enthusiasts Group) > Feb. 25th - March 1st in Denver, CO. For more information click here - > KEG<http://www.kineticdata.com/Events/KEG.html> > > 651-556-0930 I [email protected] > www.kineticdata.com I community.kineticdata.com > > > _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
